| Oracle® Application Server Single Sign-On Administrator's Guide 10g (10.1.4.0.1) Part Number B15988-01 |
|
|
View PDF |
| Oracle® Application Server Single Sign-On Administrator's Guide 10g (10.1.4.0.1) Part Number B15988-01 |
|
|
View PDF |
This chapter explains how to enable the single sign-on server for Secure Sockets Layer (SSL). In SSL, a secret session key is created, enabling the exchange of information over a secure channel. When the user logs in, the Web server sends the browser a digital certificate. The browser uses a public key sent by the Web server to encrypt a random number. This encrypted data is used in turn to create the secret key. Enabling the single sign-on server for SSL confers this form of protection on the server's partner applications. The process provides OracleAS with a high degree of security.
Out of the box, the single sign-on server uses the HTTP port of the Oracle HTTP Server. You can, however, configure SSL after installation using either an automated or manual approach.
Automated SSL Configuration
For common topologies, the SSL Configuration Tool can perform the steps required to enable post-installation SSL of the Oracle HTTP Server. For details about the tool and how to run it, see "Using the SSL Configuration Tool" in the Oracle Application Server Administrator's Guide.
If you want to monitor your server, the Beacon Certificate Authorities certificate file, b64InternetCertificate.txt, in the installation directory for the Enterprise Manager Agent, must contain the certificate of the infrastructure server. See the document Oracle Enterprise Manager Advanced Configuration for details. In particular, see the section on configuring beacons to monitor Web applications over HTTPS in the chapter on Oracle Enterprise Manager security.
|
Note: Before using the SSL Configuration Tool, you must understand the limitations of configuring an SSL port. See "Caveats About Configuring SSL" on page 7-5 for details. |
Manual SSL Configuration
If you prefer a manual approach to enabling SSL, complete the following tasks in the order listed:
|
Note: If the Oracle HTTP Server is configured for SSL (topic 1) you must configure the single sign-on server for SSL as well (remaining topics); otherwise users will be unable to access single sign-on URLs. To skirt this restriction, disable SSL directives for URLs that you want to access over HTTP. You do this by editingORACLE_HOME/sso/conf/sso_apache.conf. |
The following steps involve configuring the Oracle HTTP Server. In performing them, keep the following in mind:
You must configure SSL on the computer where the single sign-on middle tier is running—that is, on the computer that hosts the single sign-on server.
You are configuring one-way SSL.
You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default. If you want to use a different wallet, see the guidelines in the section "Oracle HTTP Server" in Chapter 8. The chapter about managing wallets and certificates in Oracle Application Server Administrator's Guide is also helpful.
To quickly enable SSL on the Oracle HTTP Server, do the following:
Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf.
In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
Update the distributed cluster management database with the following change:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
Keep a non-SSL port active on the Oracle HTTP Server that communicates with the OracleAS Single Sign-On server.
The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action. Note that users will not be able to use this port for logins. See "Caveats About Configuring SSL" on page 7-5 for details.
Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
|
Note: If your installation has two or more middle tiers, make sure that you complete step 2 in "Configure the Oracle HTTP servers on the single sign-on middle tiers". This is a subsection of "Multiple Single Sign-On Middle Tiers, One Oracle Internet Directory" one of the deployment scenarios presented in Chapter 9. |
To reconfigure the Identity Management Infrastructure Database, you must:
Change all references of http in single sign-on URLs to https within the identity management infrastructure database.
When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various targets that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
Configure Oracle Enterprise Manager Security.
These steps are described in the subsequent sections.
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/sso/
After running ssocfg, update the targets.xml file on the single sign-on middle tier.
To update targets.xml:
Back up the file:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
HTTPMachine—the HTTP server host name
HTTPPort—the SSL port number of the Oracle HTTP server
HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh https sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/> <Property NAME="HTTPPort" VALUE="4443"/> <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
Save and close the file.
Reload the OracleAS console:
ORACLE_HOME/bin/emctl reload
Since you are enabling the single sign-on server for SSL, you will need to follow all the configuration instructions detailed in the chapter about Oracle Enterprise Manager security in Oracle Enterprise Manager Advanced Configuration. Specifically, pay close attention to the section titled "Configuring Beacons to Monitor Web Applications Over HTTPS." Oracle Beacons, which are part of the Application Service Level Management features of Enterprise Manager, provide application performance availability and performance monitoring. Beacons are used to monitor a URL over SSL using an HTTPS URL.
When the single sign-on server is enabled for SSL, you must specify that HTTP access be limited to those hosts that must access the server using this protocol. This is especially true in the case of those computers hosting the OracleAS installer and OracleAS Portal.
This section provides instructions for:
Use these instructions when no load balancing router is deployed in front of the single sign-on server and OracleAS Portal. In ORACLE_HOME/sso/conf/sso_apache.conf, locate and uncomment the directives that follow, then provide a value for the Allow from parameter.
OracleAS Portal must use HTTP to access the URL that provides a list of external applications. The directive that follows enables such access. Replace <your_domain_name> with the fully qualified Portal host name; then uncomment the directive. If you have more than one Portal database, enter just the domain name for these databases.
#<Location "/sso/eappslist"> # Order deny,allow # Deny from all # Allow from <your_domain_name> #</Location>
After editing sso_apache.conf, update the repository for Distributed Cluster Management:
ORACLE_HOME/dcm/bin/dcmctl updateConfig -v -d
In a deployment configuration where the single sign-on server and OracleAS Portal are front-ended by a load-balancing router, the rule for limiting access to hosts should be set directly with the load-balancing router. Do not attempt to add such a rule in the ORACLE_HOME/Apache/Apache/conf/sso_apache.conf file to allow or deny access to a host for this configuration.
Here is an example of such a rule for BigIP:
if (client_addr != <infrastructure db IP> netmask 255.255.255.0 and
(http_uri starts_with
"/sso/eappslist")) {
discard
}
else {
use pool SSO
}
|
Note: This is a specific example and is presented for illustration only. In practice, you should ensure that any access rule you apply is consistent with the load balancing router in use. |
Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
There are two cases you must consider when configuring SSL:
When you have configured SSL for the OracleAS Single Sign-On Server
When you have configured a partner application for SSL.
When you have configured OracleAS Single Sign-On Server for SSL, you must also maintain a non-SSL port on the Oracle HTTP Server that front-ends the OracleAS Single Sign-On Server. This port is required for OracleAS Single Sign-On operation whether or not SSL is configured.
However, if you do this, note that users will not, by default, be able to use the non-SSL port to access OracleAS Single Sign-On-protected content on that Oracle HTTP Server. For example, if you have configured OracleAS Single Sign-On to protect http://myhost.mydomain.com on Oracle HTTP Server 1, users will receive an error if they enter this URL in their browser. They must use https instead.
When you have configured a partner application for SSL (this includes configuring OracleAS Single Sign-On), to enable users to access content using both an SSL and a non-SSL port, you must configure two instances of the partner application. One instance should use the SSL port and the other should use the non-SSL port. See "Configuring and Administering Partner Applications" on page 4-1 for details.
|
Note: Oracle does not recommend blocking the non-SSL port for the Oracle HTTP Server that is front-ending the OracleAS Single Sign-On Server. |
Once you have enabled the partner application for SSL, reregister mod_osso on the single sign-on middle tier and on the application middle tiers. This step configures mod_osso to use the effective single sign-on URL. See "Configuring mod_osso with Virtual Hosts (SSL and non-SSL)" in Chapter 4 for instructions. To reregister OracleAS Portal, an application integrated with the single sign-on SDK, use the ptlconfig tool. To learn how to use ptlconfig, see Appendix B in Oracle Application Server Portal Configuration Guide.
|
Note: After reregistering the partner application, by default users will not be able to access protected content using a non-SSL port. See "Caveats About Configuring SSL" on page 7-5 for details. |
You can add the OssoSecureCookies directive to set the Secure flag on all cookies created by mod_osso. This tells the browser to only transmit those cookies on connections secured by HTTPS.
An example of this directive, in the mod_osso configuration file located in ORACLE_HOME/Apache/Apache/conf/mod_osso.conf, is as follows:
<IfModule mod_osso.c>
OssoIpCheck off
OssoIdleTimeout off
OssoSecureCookies on
OssoConfigFile osso/osso.conf
<Location /j2ee/webapp>
require valid-user
AuthType Basic
</Location>
</IfModule>
